Available online at www.sciencedirect.

com

ScienceDirect
IERI Procedia 10 (2014) 11 18

2014 International Conference on Future Information Engineering

Fast Authentication during Handover in 4G LTE/SAE Networks

Mourad Abdeljebbara*, Rachid El Kouchb
a
Multimedia, Signal and Communications System Team, Institut National des Postes et Tlcommunications,2 av Allal El Fassi Madinat
Al Irfane, Rabat 10112, Morocco
b
Multimedia, Signal and Communications System Team, Institut National des Postes et Tlcommunications,2 av Allal El Fassi Madinat
Al Irfane, Rabat 10112, Morocco

Abstract

The LTE/SAE (Long Term Evolution/System Architecture Evolution) architecture design is greatly different from the
existing network (3G) which brings with it a need to adapt and improve the security functions. In fact, the security issues
in telecommunications networks will be surely a big discussion subject in the next few years whither the delay remains
very important and should be minimized. Thus, the Handover Keying Working Group (HOKEY) tries to reduce the delay
caused by the authentication once the mobile user changes its location. Therefore, the focus of this paper is to make a brief
discussion of the IETF HOKEY solution to fast authenticate the subscribers during the handover in the LTE/SAE network.

2014
2014. Published by Elsevier
Published B.V. ThisB.V.
by Elsevier is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/3.0/).
Selection and peer review under responsibility of Information Engineering Research Institute
Selection and peer review under responsibility of Information Engineering Research Institute

Keywords: LTE/SAE; HOKEY; Handover; Security

1. Introduction

Nowadays, the security is the blessed part of any communications system. For this reason, the next
generation mobile telecommunication system (LTE/SAE) is being prototyped for increased security and
reliable communication. Accordingly, it has several key differences compared to 3G and older versions like

* Corresponding author. Tel.: +212-661-746-907; fax: +212-537-773-044.

E-mail address: abdeljebbar@inpt.ac.ma

2212-6678 2014 Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/3.0/).
Selection and peer review under responsibility of Information Engineering Research Institute
doi:10.1016/j.ieri.2014.09.064
12 Mourad Abdeljebbar and Rachid El Kouch / IERI Procedia 10 (2014) 11 18

that the 4G network will become totally IP-Based. So, it will solve a lot of problem in terms of
interoperability across heterogeneous network environment but it will poses greater risks in terms of safety
and reliability. Furthermore, the mobility improvement is very important in any wireless network. For this, the
handover in LTE/SAE will be more frequent and should become more crucial, especially for the real-time
services.
The purpose of this paper is to present a brief presentation of the LTE/SAE network architecture in which
we define some handover technologies. Next, we explain the security architecture used by LTE/SAE network
in which we specify the security architecture used in the handover. Finally, we present and discuss the
HOKEY WG's proposal.

2. 4G LTE/SAE network overview

The LTE/SAE objective as a 4G standard for wireless communication is to be IP-based and have the
minimum of networks elements to minimize the protocol processing, latency and the deployment costs. And
especially, increases security and reliable communications [1][2].

2.1. LTE/SAE architecture

The LTE/SAE network architecture contains two main parts: the Evolved UTRAN (E-UTRAN) and the
Evolved Packet Core (EPC). In fact, the first part includes one or more evolved NodeBs (eNB) which is
responsible of radio transmission and reception with the mobile user while the EPC contains the following
five elements:
x Mobility Management Entity (MME) which is the main signaling node that is responsible for initiating
paging and authentication of the mobile device.
x Policy and Charging Rules Function (PCRF) which supports service policies for data flow detection,
enforcement and flow-based client charging.
x Serving Gateway which routes and forwards the user data packets.
x PDN gateway which provides connectivity from the mobile user to external packet data networks by
being the point of exit and entry of traffic for the mobile user.
x Home Subscriber Server (HSS) is the subscribers database which contains the static subscriber
information and the authentication and security data that can be used for authentication of the subscriber and
encryption of user traffic[1][3].

Fig. 1. LTE/SAE network architecture

 Mourad Abdeljebbar and Rachid El Kouch / IERI Procedia 10 (2014) 11 18 13

2.2. Handover mechanism in LTE/SAE network

The transparent access to services is among the objectives of E-UTRAN which is guaranteed by using the
handover mechanism. Therefore, the use of this mechanism should reduce the latency requirements of the
system. In fact, the wireless communication system supports the following two main handover mechanisms:
x The hard handover means that the mobile user should be detached from the source eNB before it attaches
to the destination eNB.
x The soft handover means that the mobile user should be attached to the destination eNB while it still
attached to the source eNB.
Indeed, the handover decisions in LTE/SAE system are executed in the eNBs itself by exchanging the
necessary information between each other. Also, the eNB doesn't involve the MME/SGW only when the
handover is complete which the MME/SGW switches the path (see bellow fig. 2).

Fig. 2. LTE/SAE handover sequence in the X2 interface

3. 4G LTE/SAE security architecture

As mentioned above, the security is a big issue in the telecommunications networks such as the LTE/SAE
network. Therefore, the LTE/SAE should be more secure than the 3G network and especially should have a
strengthened defense against the current attacks from the Internet without doing any change in the USIM card.
For this, the LTE/SAE introduces a new keys generation system in which the keys are generated for different
purposes [5].

3.1. Security architecture

Firstly, the most important issue of security under LTE/SAE network is the network access, which protects
the communications between the mobile user and the network across the radio interface. In fact, the security
architecture of network access contains 4 functions:
14 Mourad Abdeljebbar and Rachid El Kouch / IERI Procedia 10 (2014) 11 18

x Authentication: It is completed by the use of a mutual authentication between the network and the mobile
user in which the EPC accepts the mobile user to use its own services and the mobile user concludes that this
is a real network.
x Confidentiality: It is guaranteed by the using of a static and confidential user's identity called IMSI
(International Mobile Subscriber Identity) which is needed to clone any mobile user. Thus, the LTE avoids the
use of IMSI by using a temporary identity called TMSI (Temporary Mobile Subscriber Identity), when it
wants to communicate with the mobile user.
x Ciphering: It ensured by using of encryption algorithms which prevents any intruder to read the messages
exchanges between the mobile and network.
x Integrity protection: It protects the system against the problems by detecting any attempt to modify the
signaling messages exchanges between the mobile user and the network by any intruder. [6].

3.2. Hierarchical key system

The security system in LTE/SAE network is based on a hierarchical key system which depends on a
specific key, denoted K, stored in the HSS and USIM's card. In fact, this key derives two specific keys used in
the 3G network: a ciphering key (CK) and an integrity key (Ik). Thereafter, the LTE uses these keys to derive
another key called access security management entity key, denoted KASME. With this, the MME and the
mobile user derive three further keys that will be used for the communications between them. The first two
keys are KNASenc and KNASint which are used for ciphering and integrity protection of a non access stratum
(NAS) signaling messages. While the last one is an eNodeB key, denoted KeNB in which derives three new
keys used for ciphering of data (KUPenc), ciphering of RRC signaling messages (KRRCenc) and integrity
protection of RRC signaling messages (KRRCint ) in the access stratum (AS) (see figure 3)[6].

Fig. 3. Hierarchical key system

The use of this system brings several benefits such as the mobile user doesn't lose the value of CK and IK
even if it disconnect from the network, whereas the MME keep the value of KASME. Due to this, the system
secures the next attachment of the mobile user to the network. Likewise, it ensures that the keys are separated,
so, the discovery of one will not help anyone to know the other one.
 Mourad Abdeljebbar and Rachid El Kouch / IERI Procedia 10 (2014) 11 18 15

3.3. Authentication and Key Agreement

To ensure at least the same security level as the 3G network, the LTE use the AKA procedure which the
mobile user confirms the networks identity and the network confirms the mobile's identity. The figure bellow
illustrates this AKA procedure:

Fig. 4. AKA procedure

Before starting the AKA procedure, the MME obtains the mobiles identifier from its own database or
from the last MME where the mobile user was attached to. Otherwise, it can ask the mobile user itself by an
EMM Identity Request. After that, it requests the HSS to get the specific key and the authentication vector
which contains the following elements:
x RAND: A random number which serves as one of the input parameters to generate the other parameters
of the vector.
x XRES: The expected result of RAND which is used to authenticate the mobile user.
x AUTN: The authentication token which is used to block any intruder to replace any authentication
request.
x KASME: The access security management entity key.
Afterward, The MME sends RAND and AUTN to the mobile user to verify that the network knows the real
value of its security key K. In the same time the mobile user generates RES, which is the result of RAND
received from the MME and its own security key K. Then, it returns the result to the MME to compare it with
the value received from the HSS. In case the values of RES and XRES are equal, the MME conclude that the
mobile is genuine [6].

3.4. Security activation

Firstly, the NAS security is activated when the AKA procedure is finished. In this case, the MME
calculates the values of KNASenc and KNASint and asks the mobile user to activate this security. Then, the mobile
16 Mourad Abdeljebbar and Rachid El Kouch / IERI Procedia 10 (2014) 11 18

calculates its own copies of KNASenc and KNASint and then begins the ciphering and the integrity protection with
the network. However, the mobile user and the MME delete these keys if the mobile disconnect from the
network but the MME keeps its copy of KASME, while the mobile user keeps its copies of CK and IK.
Otherwise, the ASs security is activated before that the network establishes the default radio bearer and
signaling radio bearer. In this case, the eNB use its own key to generate the three keys that the mobile use will
use for ciphering and integrity protection. Finally, the mobile user acknowledges the eNB and starts the
downlink ciphering [6].

3.5. Ciphering

The ciphering procedure is guaranteed by combining the outgoing data with the pseudo-random key stream
using an exclusive-OR operation. This pseudo-random key stream is generated by the ciphering key of the
transmitter with some information fields. In the same time, the receiver recovers the original data by doing the
same mixing process. Currently, LTE supports three EPS (Evolved Packet System) encryption algorithms
(EEAs) which are SNOW 3G and Advanced Encryption Standard (AES) [6].

3.6. Integrity protection

The integrity protection is guaranteed by using the EIA (EPS integrity algorithm) algorithm to send any
signaling message. In fact, the transmitter use the appropriate integrity protection key to generate an integrity
field denoted MAC-I. In the same time, the receiver separates the integrity field from the signaling message
and calculates its own integrity field, denoted XMAC-I. Therefore, if the two integrity fields are not the same,
the receiver concludes that the message has been modified and it will be discarded.

3.7. Security in Handover process

The installation of an eNB in an exposed area creates a high risk of unauthorized access to it, so adequate
security is required. To achieve that, the concept of forward security was introduced to LTE. This means that
the computational complexity prevents guessing the future KeNB which will be used between the mobile user
and the target eNB. Thereby, the figure 5 shows the handover key chaining model used for intra-LTE
handovers.

Fig. 5. Model for the handover key chaining

 Mourad Abdeljebbar and Rachid El Kouch / IERI Procedia 10 (2014) 11 18 17

Generally, the MME generates and sent to the serving eNB an initial key denoted KeNB. In fact, the source
eNB always derives a new eNB key denoted KeNB* and sent it to the target eNB during any intra- or inter-eNB
handover. Thus, this eNB uses this key to derive the base key that will be used for deriving the ciphering and
integrity keys [5][7].

4. HOKEY WG security architecture proposal

As we see before, the mobile user needs to re-authenticate each time it changes its location. Therefore, this
process consumes the latency due to the signaling overhead and it creates a series of security vulnerabilities
due to the longer lasting exposure of the medium. Also, this re-authentication generates a time-delay.
Accordingly, a work was done by the HOKEY work group in order to reduce this delay. This work was
progressed in two ways: The first one is to do an early authentication which means that the mobile user should
be authenticate before doing the handover while the second is to reuse the cryptographic material generated
during an initial authentication.
Likewise, the HOKEY proposal suggests the reduction of the signaling overhead by minimizing the
communication between the mobile user and the home servers and especially for the authentication.
Furthermore, if the authentication service depends on a remote server, the network partition can result in the
denial of service to valid users.

4.1. HOKEY architecture functionalities

Accordingly, HOKEY architecture requires the following functionalities:

x Authentication Subsystem Function which depends on the availability of the discovery of the target
access point (TAP).
x Pre-Authentication Function which assure the discovery of the TAPs and completes the network access
authentication and authorization at each TAP before the handover.
x EAP Re-Authentication Function which assures the authentication of the mobile user at any access point
and by using the key material derived from a previous full EAP authentication.
x EAP Authentication Function which assures the authentication of the mobile user at any access point
using a full EAP exchange.
x Authenticated Anticipatory Keying (AAK) Function which assures the pre-placing of key material
derived from an initial full EAP authentication on TAPs.
x Management of EAP-Based Handover Keys which consists of EAP method-independent key derivation
and distribution and comprises the following specific functions: handover key derivation and handover key
distribution.

4.2. HOKEY architecture components

The components of the HOKEY architecture are as follows:

x Peer is the extremity of the link which communicates with the authenticator.
x Authenticator is one that initiates the EAP authentication.
x EAP server is one that terminates the EAP authentication method with the peer.
x ER server is one that performs the server portion of ERP and terminates the EAP re-authentication
exchange with the peer.
x ER/AAK server is the one that doing the AAK function [1][8].
18 Mourad Abdeljebbar and Rachid El Kouch / IERI Procedia 10 (2014) 11 18

5. Conclusion

In this paper, the HOKEY WG architecture proposal was presented. In fact, EAP, that supports different
types of authentication methods, is used for authentication in almost every access networks such as LTE. So,
it can result delay degradation while the mobile change each attachment from one base station to another. For
this, ERP is developed to minimize this delay and the interactions between the mobile and authenticator. But,
the needed of requesting the authenticator, for re-authentication parameters, can degrade the delay of the re-
authentication especially if the authenticator is too far from the mobile for example in case of the mobile is
located in the visited network. Therefore, the solution of reusing the cryptographic material generated during
an initial authentication can save the time. In LTE, this solution is used by the keeping of KASME key in MME
but the discovery of this key by an intruder can create a high risk to discover the derived keys. So, the intruder
can use the network without any problem. While, doing an early authentication before the handover can
decrease also the delay of re-authentication and solve also the problem of an access to a false base station.
However, using the AAK can help a base station to differentiate between an EAP early authentications from
an EAP re-authentication.

References

[1] Anastasios N. Bikos, Nicolas Sklavos, LTE/SAE Security Issues on 4G Wireless Networks, IEEE Security
& Privacy, Greece,2013.
[2] Qin-long Qiu, Jian Chen, Ling-di Ping, Qi-fei Zhang, Xue-zeng Pan, LTE/SAE Model and its
Implementation in NS 2, Fifth International Conference on Mobile Ad-hoc and Sensor Networks, Zhejiang
University, 2009.
[3] Anand R. Prasad, Julien Laganier, Alf Zugenmaier, Mortaza S. Bargh, Bob Hulsebosch, Henk Eertink,
Geert Heijenk, Jeroen Idserda, Mobility and Key Management in SAE/LTE, online available from
http://eprints.eemcs.utwente.nl.
[4] Jihai Han, Bingyang Wu, Handover in the 3GPP Long Term Evolution (LTE) Systems, Mobile Congress
(GMC), 2010.
[5] Alf Zugenmaier, Hiroshi Aono, Security technology for LTE/SAE, NTT DOCOMO Technical Journal
Vol. 11 No. 3, online available from https://www.nttdocomo.co.jp/english.
[6] Christopher Cox, An introduction to LTE, LTE-Advanced, SAE and 4G Mobile Communications, John
Wiley & Sons, United Kingdom, 2012.
[7] LTE and the evolution to 4G wireless : Design and Measurement Challenges, Security in the LTE-SAE
Network, online available from http://www.home.agilent.com.
[8] G. Zorn, Ed., Q. Wu, T. Taylor, Y. Nir, K. Hoeper, S. Decugis, Handover Keying (HOKEY) Architecture
Design, Internet Engineering Task Force (IETF), July 2012.